Application security

Learn how to do application security right in your organization

Patrick McSweeney
February 9, 2022 by
Patrick McSweeney

The number of web applications continues to grow every year, and they remain a primary area of focus for cybercriminals and other malicious actors. Web apps are — by far — the top hacking vector in data breaches, accounting for approximately 90% of the 1,610 incidents tracked in Verizon's 2021 Data Breach Investigations Report. 

"The conventional solutions to application security problems tend to be completely backward," says Ted Harrington, a renowned speaker, author and ethical hacker. "To stay ahead of cybercriminals, you have to learn how attackers think, how they operate and how they break systems."

That's why Harrington created his new 11-course Infosec Skills learning path, How to Do Application Security Right, named after his best-selling book. The learning path identifies cybersecurity misconceptions many organizations have about application security (AppSec). 

"Participants will walk away with very actionable, applicable advice at a strategic level that they can take back to their organizations and immediately implement," Harrington says. "The stories, strategies and tactics you'll learn in these courses are all based on decades of ethical hacking and security research. And you'll learn the ultimate payoff: how to convert your security investment into a competitive advantage."

Who needs application security training?

Harrington says there are three overlapping groups of professionals that would receive the most benefit from his learning path:

  • Tech and company leaders
  • Application developers 
  • Other cybersecurity professionals

"These courses live at the strategic and principal level — with the first group being tech leaders who are responsible for the security of a system: CTOs, CIOs, CISOs and VPs of engineering. It's helpful for those whose purview includes security and building applications in a secure manner," explains Harrington.

"The second group this training is for is the developers who are actually building the system with the expectation that considers security. The third audience is security professionals who might already be application security experts and are looking for new ways to think about the same ideas and improve the end results." 

A strategic approach to application security

Each of his courses includes a combination of videos and exercises addressing one primary cybersecurity misconception. "I give you the concepts and all the materials to create an exercise to take home to your company."

He designed the training to provide a strategic, principled approach to the right way to address security, and it's agnostic of any specific tool because the tools keep changing. 

"Some people don't understand what penetration testing is and what it's not — how it's different from vulnerability scanning or vulnerability assessments," says Harrington. "Which one should you use in different situations to understand your weaknesses? I address that."

"Other people have mistaken notions about how they should work with security partners. Should they withhold information because the attacker doesn't have it? Or should they share information because they're trying to actually figure out the problems? I address stuff like that and how you should think about threat modeling — in terms of thinking about who the attackers are and what they care about." 

Don't be scared to learn application security

Harrington says people's misconceptions around hacking or cybersecurity can keep them from pursuing a career they may truly enjoy. 

"It prevents a lot of really talented people from getting into the ethical hacking side of the security community. They think, 'Well, that's really scientific. It's really mathematical. The people who are good at it are super smart. I don't think that I'm capable of that.' That is a very common belief people have, including talented security professionals."

Ten years ago, Harrington wasn't even in cybersecurity, and now he's a best-selling author and instructor. 

"Every single person who has ever achieved excellence didn't know anything at one point, but they set out with that mindset of curiosity: Let me see if I can understand this. It's possible. You can do it. I'm evidence of the fact you can do it, and you can excel at it. Just don't be scared and put in the work."

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

To learn more about Ted Harrington's How to Do Application Security Right learning path, create your free Infosec Skills account.

About Ted Harrington

Ted Harrington is the #1 best-selling author of "HACKABLE: How to Do Application Security Right," and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications and password managers. He's helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon and Netflix. 

Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner. He hosts the Tech Done Different podcast. To get help with security consulting and security assessments, or to book Ted to keynote your next event, visit

Patrick McSweeney
Patrick McSweeney

Patrick McSweeney began his career in print and then broadcast journalism before pivoting to become an award-winning public relations strategist. During the past 30 years, he has worked with clients ranging from technology companies to food retailers, restaurants, tourism destinations and from manufacturers to nonprofits, real estate development and government agencies.